github.com/Azure/aad-pod-identity@v1.8.17/test/TESTING.md (about) 1 # Testing on AAD Pod Identity 2 3 This doc lists the different pod identity scenarios tested as part of CI. 4 5 ## Supported Tests 6 7 | Test Category | Tests | Description | 8 | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | 9 | Single identity tests | <ul><li>should pass the identity validation</li><li>should delete the AzureAssignedIdentity if the pod is deleted</li><li>should not pass the identity validation if the AzureIdentity is deleted</li><li>should not pass the identity validation if the AzureIdentityBinding is deleted</li><li>should update AzureAssignedIdentity when AzureIdentity fields are updated in-place</li><li>should pass identity validation with correct identity and fail with wrong identity</li></ul> | When deploying single identity | 10 | Service Principal tests | <ul><li>should pass the identity validation with service principal type</li></ul> | When deploying service principal | 11 | Managing identities using az cli or portal | <ul><li>should not delete a user-assigned identity that is being used by a different pod</li><li>should be able to delete AzureAssignedIdentity when the user-assigned is un-assigned from the underlying node</li><li>should not alter the system-assigned identity after creating and deleting pod identity</li><li>should not alter the user-assigned identity on VM after AAD pod identity is created and deleted</li><li>should not delete the Immutable Identity from VMSS when the deployment is deleted</li><li>should reconcile identity assignment on Azure if the user-assigned identity is manually unassigned from the underlying node</li></ul> | When managing identities from the underlying nodes | 12 | Multiple identities tests | <ul><li>should remove the correct identities when adding AzureIdentity and AzureIdentityBinding in order and removing them in random order</li><li>should create AzureAssignedIdentities for 40 pods within 150 seconds</li><li>should create a new AzureAssignedIdentity when the pod label is changed</li></ul> | When deploying multiple identities | 13 | Liveness probe tests | <ul><li>should pass liveness probe test for MIC and NMI</li></ul> | When liveness probe is enabled | 14 | Init container tests | <ul><li>should assign identity with init container</li></ul> | When init containers are enabled | 15 | Pod Identity Exception tests | <ul><li>should pass validation by bypassing NMI using AzurePodIdentityException CRD</li></ul> | When deploying AzurePodIdentityException | 16 | Gatekeeper validation tests | <ul><li>should pass the identity format validation with gatekeeper constraint</li></ul> | When using AAD Pod Identity with Gatekeeper for AzureIdentity and AzureIdentityBinding validation | 17 | Disruption tests | <ul><li>should pass the identity validation even when MIC leader is changed</li></ul> | When AAD Pod Identity operations are disrupted | 18 | Block Instance Metadata feature tests | <ul><li>should receive a HTTP 403 response when contacting /metadata/instance endpoint</li></ul> | When blocking pods from accessing Instance Metadata Service | 19 | Backward compatibility and Upgrade tests | <ul><li>should be backward compatible with old and new version of MIC and NMI when upgrading from v1.5.x</li></ul> | When upgrading AAD Pod Identity | 20 21 ## Load tests 22 23 - Load tests are run as part of the nightly CI job 24 - Load tests are run using [kubernetes/perf-tests](https://github.com/kubernetes/perf-tests) 25 - Load tests are run for aad-pod-identity `standard` and `managed` mode 26 27 ### Test cluster configuration 28 29 - Cluster type: AKS 30 - Number of nodes: 30 31 - VM Size: `Standard_DS2_v2` 32 - Number of pods: 2000